As with almost all computer operating systems, Google’s Android is designed with a “privilege” model, so different software running on your Android phone, from third-party apps to the operating system itself, is restricted as much as possible and only allow access to the system according to their needs. This prevents the last game you’re playing from silently collecting all your passwords by allowing the photo editing app access to your camera roll, and the whole structure is enforced by digital certificates signed with cryptographic keys. If the keys are compromised, attackers can grant their own software permissions they shouldn’t have.
Google said in a statement Thursday that Android device makers have implemented mitigations, rotating keys and automatically pushing the fixes to users’ phones. And the company has added scanner detections for any malware that attempts to abuse compromised certificates. Google said it found no evidence that the malware snuck into the Google Play Store, meaning it was making the rounds via third-party distribution. Disclosure and coordination to address the threat has occurred through a consortium known as the Android Partner Vulnerability Initiative.
“Although this attack is quite serious, we were lucky this time around, as OEMs can quickly rotate affected keys by sending device updates over the air,” says Zack Newman, a researcher at software supply chain security firm Chainguard, who made some analyses of the accident.
Misusing the compromised “platform certificates” would allow an attacker to create malware anointed with extended permissions without the need to trick users into granting them. Google’s report, by Android reverse engineer Łukasz Siewierski, provides some malware samples that exploited the stolen certificates. They point to Samsung and LG as two of the manufacturers whose certificates have been compromised, among others.
LG did not return a request from WIRED for comment. Samsung acknowledged the compromise in a statement and said that “there have been no known security incidents related to this potential vulnerability.”
While Google appears to have caught the problem before it spiraled, the incident underscores the reality that security measures can become single points of failure if they aren’t designed thoughtfully and with as much transparency as possible. Google itself debuted a mechanism last year called Google Binary Transparency that can act as a check to see if the version of Android running on a device is the expected and verified version. There are scenarios where attackers could have enough access to a target’s system that they could defeat such logging tools, but they are worth implementing to minimize damage and report suspicious behavior in as many situations as possible.
As always, the best defense for users is to do so keep the software up-to-date on all of your devices.
“The reality is that we will see attackers continue to pursue this type of access,” says Newman of Chainguard. “But this challenge isn’t unique to Android, and the good news is that security engineers and researchers have made significant progress in building solutions that prevent, detect, and enable recovery from these attacks.”
Leave a Comment